IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Configuring SOAPInput and SOAPReply nodes to use SSL (HTTPS)

Configure the SOAP nodes to communicate with other applications that use HTTPS by creating a keystore file, and configuring the broker to use SSL.

Before you start: Set up a public key infrastructure (PKI) at broker or integration server level: Setting up a public key infrastructure.

Follow these steps to configure the SOAPInput and SOAPReply nodes to communicate with other applications using HTTP over SSL:

  1. If you are using the broker listener: Configure the broker to use SSL
  2. If you are using the integration server (embedded) listener: Configure an integration server to use SSL
  3. Test your configuration

If you configured your broker and integration servers such that the broker listener is used for some integration servers, and the integration server listener for other integration servers, you must complete step 1 for the first set of integration servers and step 2 for each integration server in the second set.

For information about which listener to use for HTTP messages, see HTTP listeners.

Parent topic: Securing message flows by using SSL configuration

Configuring the broker to use SSL

Complete the following steps:

  1. Turn on SSL support in the broker, by setting a value for enableSSLConnector 
    mqsichangeproperties broker name
  -b httplistener -o HTTPListener 
  -n enableSSLConnector -v true
  2. Optional: If you do not want to use the default port 7083 for HTTPS messages, specify the port on which the broker listens: 
    mqsichangeproperties broker name
  -b httplistener -o HTTPSConnector
  -n port -v Port to listen on for https

    On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024.

    For the broker to listen on these ports, the user ID under which the broker is started must be root.
  3. Optional: Enable Client Authentication (mutual authentication): 
    mqsichangeproperties broker_name -b httplistener -o HTTPSConnector
  -n clientAuth -v true
  4. Restart the broker after changing one or more of the HTTP listener properties.
  5. Optional: Use the following commands to display HTTP listener properties: 
    mqsireportproperties broker_name -b httplistener -o AllReportableEntityNames -a 
mqsireportproperties broker_name -b httplistener -o HTTPListener -a 
mqsireportproperties broker_name -b httplistener -o HTTPSConnector  -a

Configuring an integration server to use SSL

Complete the following steps:

  1. Optional: Specify a specific port on which the integration server listens for HTTPS requests, or leave the value unset to use the next available port number. 
    mqsichangeproperties broker name
  -e integration_server_name -o HTTPSConnector
  -n explicitlySetPortNumber -v port_number
    On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024. For the integration server to listen on these ports, the user ID under which the broker is started must be root.

    If you do not complete this step, the first available port in the default range (7843 - 7884) is used.

  2. Optional: Enable Client Authentication (mutual authentication): 
    mqsichangeproperties broker_name
  -e integration_server_name -o HTTPSConnector
  -n clientAuth -v true
  3. Optional: Change the SSL protocol. The default protocol for the integration server's HTTPS connections is TLS. Run the following command to change it to SSL: 
    mqsichangeproperties broker_name
  -e integration_server_name -o HTTPSConnector
  -n sslProtocol -v SSL
  4. Restart the broker after changing one or more of the listener properties.
  5. Optional: Use the following command to display HTTPS properties: 
    mqsireportproperties broker_name 
  -e integration_server_name -o HTTPSConnector  -r

Testing your configuration

Use the SOAP Nodes sample to test your configuration. You can view information about samples only when you use the product documentation that is integrated with the IBM® Integration Toolkit or the online product documentation. You can run samples only when you use the product documentation that is integrated with the IBM Integration Toolkit.
  1. Import the SOAP Nodes sample.
  2. Enable SSL in the SOAPNodesSampleConsumerFlow message flow by completing the following steps:
    1. Open the Invoke_submitPO subflow.
    2. Change the HTTPTransport properties for the SOAPRequest node. In the Web Service URL field, make the following changes:
      • Change http to https
      • Change the port number to the port number of your HTTPSConnector port.
      Note: The default value of the HTTPSConnector port is 7843 but you can use the following command to verify the port number that is configured in your deployment. 
      mqsireportproperties broker_name -e integration_server_name -o HTTPSConnector -n port
      If there are no other HTTPS services in your deployment, the mqsireportproperties command returns a 0 and you should be able to use the default value of 7843 for the value of your HTTPSConnector port.
    3. If you set up your public key infrastructure by following the instructions that are detailed in Setting up a public key infrastructure, all other properties should be correct. Otherwise, you must select the appropriate protocol and change other SSL properties to match your configuration.
  3. Enable SSL in the SOAPNodesSampleProvider message flow by opening the properties for the SOAPInput node and selecting Use HTTPS in the HTTP Transport properties panel.
  4. If OrderService_SOAPNodesSampleProviderFlow and submitPO_OrderService_SOAPNodesSampleConsumerFlow are not already subflows, you must convert them to subflows. For more information about converting between message flows and subflows, see Converting between message flows and subflows.
  5. Refresh the BAR file and deploy.
  6. Test the sample. For example, you can test the sample by completing the following steps:
    1. From a web browser, enter the following URL.
      https://localhost:port_number/acmeOrders/WADDR/ProcessOrders
      where port_number is the port number of your HTTPSConnector port.
    2. When you are prompted to accept the certificate, click Yes.

    If you are using a self-signed certificate in your PKI infrastructure, the sample is working correctly if the browser window displays the message There is a problem with this web site's security certificate.

    If you are using a certificate from a certificate authority in your PKI infrastructure, the sample is working correctly if the browser displays a lock symbol next to the URL.
    Note: You can ignore any error messages that are associated with the sample.
Related concepts:
Security overview
Related tasks:
Implementing SSL authentication
Configuring SOAPRequest and SOAPAsyncRequest nodes to use SSL (HTTPS)
Related reference:
mqsichangeproperties command
mqsireportproperties command
SOAPInput node
SOAPReply node
SOAPRequest node
SOAPAsyncRequest node
ap34021_.htm | Last updated Friday, 21 July 2017